Phishing Scams Exposed

Malicious hackers need extensive technical knowledge and hundreds of hours of work to exploit technical weaknesses for their benefit.

On the other hand, scammers need some modest technical knowledge paired with good social skills to exploit human weaknesses.

This is why phishing scams have become so frequent: scammers can get significant financial benefits with less effort and time.

And, for the scammers, the crypto space has become a gold mine because the level of knowledge and awareness of many crypto users is still in development.

To ensure that your digital assets and your hard-earned crypto funds are safe, you must learn to identify the different crypto phishing scams and protect yourself from them. 

phishing

Table of Contents

Important notice: Do your research.

Our content is intended to be used and must be used for informational purposes only. It is not intended to provide investment, financial, accounting, legal, tax, or other professional advice.

It is essential to research and verify any information you find on this website or any other website.

Phishing Safety Quiz

Phishing quiz.

This quiz will score your general Phishing scams knowledge.

After completing the quiz, your score will be displayed as well as our feedback on each one of the questions.

Which of the following phishing scams would you be able to recognize? (Mark all that apply)

Before clicking on a link, do you first check the destination address?

Could you recognize a malicious address (URL)?

Have you ever checked if your data has been part of a data breach?

How do you answer a phone call from an unknown number?

Do you have a disposable crypto wallet for sites or applications whose safety you need to check?

Before installing a web browser extension, do you check the permissions requests and verify it's a legitimate extension?

Would you allow someone from a customer service support to remote connect to your computer?

Has this quiz been of value to you?

If the answer is yes and you think that it will be of value to someone else, please share it:

What is Phishing?

Phishing uses social engineering techniques to convince people to reveal Personal Identifiable Information (PII), install malicious software or take action that will result in a financial loss.

Social engineering

And social engineering is a psychological manipulation technique used by scammers to exploit human behavior. 

Scammers know how to use the human emotions of fear, greed, curiosity, helpfulness, or urgency to gain an advantage over their victims.

– Fear and urgency: ‘Access to your crypto wallet will be restricted if you don’t do X, Y, or Z within the next 48 hours.’

– Curiosity and greed: ‘You have been selected to receive an Ethereum airdrop. For more information, click on the link below.’

– Helpfulness and greed: ‘I am a poor student, but I have this many funds I cannot access. If you help me, I will reward you with this and that.’

We Have Won A Mutant Ape!
Phishing Email Explored
MEDIUM

Personal Identifiable Information (PII)

Personal Identifiable Information is information that, in combination with other data, can be used to identify a person.

In phishing, scammers will try to get your name, surname, home address, email address, and date of birth. Because that information can be used to figure out your email account password, successfully conduct an SMS swap, or…

Malicious software

Malicious software is any program that intentionally harms a computer, network, or server. 

And malicious software will use in phishing to access Personal Identifiable Information or access the victim’s financial assets or digital accounts.

Financial loss

Scammers use phishing as a system to get financial benefits at the expense of their victims. What the scammer gains, the victim loses.

25 Bitcoin (BTC) Stolen
Protect Your Seed Phrase From Hackers
MEDIUM

Exploring the Various Types of Phishing Attacks

Scammers use different phishing attacks types, depending on the information they have available:

– If a scammer already has some information like the name, surname, or email…, the scammer will use phishing attacks like spear phishing, vishing, and smishing, …

– If a scammer is looking for new targets, it will use phishing attacks like ice phishing, phishing bots, and dusting…

– Safety knowledge –

Depending on the type of phishing attacks that you are receiving, you should be able to deduct how much the scammers know about you.

You should ask yourself – Is this a generic phishing attack or a personalized phishing attack?

Type 1: Spear Phishing

Spear phishing is malicious emails that target specific individuals, organizations, or businesses.

If your email address, name, surname, or home address… has been part of a data breach, you will probably start receiving spear phishing emails.

And because the scammers already have your personal information, it will be easier to convince you that their requests for information or action are legitimate.

Example of a spear phishing scam.

If you want to know if your emails or passwords have been made public, look at haveibeenpwned.com.

This website tracks all the data breaches and the information that has been made public. If your email is flagged, you need to take immediate action.

Email data breach.

How to protect yourself against spear phishing scams

– Never act in a hurry, especially if the email is pushing you to that immediate action

– Before clicking on any link, check the link address. Does it look trustworthy?

– Never provide personal information to a non-identifiable or non-trusted person or organization.

To check a website link address, hover with your mouse pointer over the link or button you want to study. And on the bottom of your browser, you should see the destination address.

An example, if you hoover with your mouse pointer over the link below, on the bottom left of your browser, you should see the following address https://en.wikipedia.org/wiki/Phishing.

HTTPS website example.

Now let’s take a look at a real example of a phishing email:

– The email is asking us to take immediate action, or we are at risk of losing our assets

– By hovering over the button ‘Get Started,’ we can notice on the bottom of the screen that the link is a very long address that does not look trustworthy.

– And if we click on the button, it takes us to a website where scammers request our Metamask wallet address. 

Warning: NEVER click on a suspicious link unless you know how to do it securely.

Metamask phishing email.

The phishing website where the link directs us looks similar to the Metamask website.

But, on this phishing website, the scammer is asking us for our Metamask wallet seed phrase, which it will use to replicate our wallet and steal our funds.

Phishing website example.

In the following video, we explore three Ledger phishing scams. And you will recognize the first one as a spear phishing attack.

Type 2: Angler Phishing

Social media has become a fountain of information for scammers, who now can find dissatisfied customers or people seeking help.

Scammers use online reviews and plead for help to request personal information from people and direct them toward fake websites or convince them to click on malicious links.

Angler phishing example.

How to protect yourself against angler phishing scams

While there are people out there that want to help people in need, you must be aware that in the online and crypto space, you will find many people who want to take advantage of your situation.

The best way to defend yourself from angler phishing scams is to have decent crypto safety knowledge and follow good practices.

For that, we encourage you to browse through our posts, acquire as much knowledge as possible, and apply as many good practices as possible to protect your crypto and digital assets.

Type 3: Clone Phishing

Spammers send emails with content identical to what a victim can expect from a trusted source.

The attacker will mostly clone emails from crypto exchanges or wallets that already contain links. Still, those links will be changed to redirect the victim to malicious sites or download malicious software or applications.

For example, the email from the picture below aims to look similar to a legitimate email from Metamask, a well-known crypto wallet. But:

– Metamask NEVER asks the users for their email addresses. So any email from Metamask is phishing by default.

– The sender of the email has a very suspicious email address

– All the links on the email have as a destination very suspicious addresses.

– All the links in the email reach HTTP website addresses. HTTP website addresses are not secured.

Phishing email example.

How to protect yourself against clone phishing scams

– Before clicking on any link, check the website address by hovering with your mouse over the link. If the address looks suspicious, do not click on it.

– Never open a link whose destination is an HTTP website page. Only HTTPS website addresses are secured, but even HTTPS addresses may lead to malicious sites.

– Use free tools to identify and avoid phishing wesbites.

Type 4: Whaling

Whaling is a form of spear phishing attack, with the difference that it targets high-level executives.

As with phishing, a scammer targeting a high-level executive will probably already have some information about the victim. And the scammer will use this information to compose a reasonable request.

For both phishing and whaling, the scammer will aim to induce a sense of urgency, so the victim takes action immediately. They don’t want you to double-check the integrity of the request because they know that you will quickly find out that the request is malicious.

How to protect yourself against whaling

If someone working for you had a device hacked, information about you or your company might have been compromised.

The best way to prevent whaling from happening is by making sure that your employees are educated in digital safety and follow good practices.

The best way to defend yourself from whaling is by ensuring you are educated to recognize scams and follow digital safety good practices.

Type 5: Vishing

Vishing is made by joining the words ‘Voice’ and ‘Phishing.’

The caller, a scammer, will try to convince the victim to divulge sensitive information, install malicious software or provide financial account details.

Most vishing calls happen after a data breach because, without minimum information, the scammer can spend days making calls without any result.

But once the scammer knows your name, surname, and cell phone number, a vishing call has more potential success unless you have already learned about this kind of scam.

Example of a vishing scam.

How to protect yourself against vishing

Hang up the phone… it is that simple.

If you receive a call from anyone pushing you to stay on the phone or making any request from you that you are not comfortable with… hang up the phone.

Many people find it difficult to hang up the phone because they don’t want to be rude. But this skill needs to be learned and applied to defend yourself against unwanted calls.

And, very importantly, never answer a call with a ‘Hello, <your name/surname> speaking…’ because you are already giving away personal information to someone you don’t know. 

Type 6: Ice Phishing

Scammers use ice phishing to trick their victims into permitting them to access their crypto assets.

It has become widespread to lure victims to grant permissions to their wallets that the scammers do use to drain the victim’s wallets of any valuable funds.

For example, many people have reported having their crypto assets stolen after connecting their wallets to the site below and approving the access request.

– The website tried to create a sense of urgency by stating that nearly all the prizes are already claimed.

– The website is asking for wallet permissions that are not usual or are not usual for knowledgeable crypto users.

Ice phishing example.

How to protect yourself against ice phishing

Once again, to protect your crypto assets from ice phishing, you need to use a combination of knowledge and good practices:

– Protect your wallet from scammers by triple checking any access request to your wallet. Most probably, the scam has already been flagged by other crypto users so that an internet search can verify most scams.

– Do not use your primary wallets by default. You can easily create test wallets and use those wallets to check suspicious sites or access requests.

Type 7: Unicode Domain Phishing

Unicode domain phishing attacks use characters from the Unicode domain that look very similar.

And it is nearly impossible to determine a fake domain by looking at the link.

For example, which one of the following is the legitimate link to the Apple website?

https://www.apple.com/

https://www.apple.com/

If you don’t know, click the links and check where they take you.

Unicode phishing example.

How to protect yourself against Unicode phishing

Check the link address by hovering your mouse icon over the link.

On the bottom left of your screen, you should be able to see the destination address.

And, if it looks suspicious, do not click on it.

Type 8: Fake Browse Extensions

A browser extension is a plug-in that adds functionality to a browser.

The browser extensions need some permissions to perform their function. For example, the Google Translate browser extension needs to be able to read and change all the data on all websites you visit. 

And while granting many access rights to Google Translate is relatively safe, it does not work the same for those browser extensions with malicious intentions.

Google translate access rights.

How to protect yourself against fake browser extensions

Before installing a browse extension, check the information provided in ‘Overview’ ‘Privacy practices.’ ‘Reviews,’ ‘Support,’ and ‘Related’ for anything suspicious.

Read what permissions the browser extension request and if those permissions are essential.

In case of doubt, search on the internet for reviews and opinions. Unless it is a very new malicious browser extension, security experts probably have already flagged it, and their warnings should be available on the internet.

Type 9: Phishing Bots

Phishing bots are computer programs that execute repetitive tasks.

They commonly look for keywords on popular platforms like YouTube, Twitter, and Reddit,…

Some examples of keywords that may prompt a bot to take action are ‘Metamask + help’ or ‘Bitcoin wallet + support’… which will alert and scammer of a potential victim.

This is why it is essential NOT to TRUST and ALWAYS VERIFY that any request from any source is legitimate.

For example, the picture below has been taken from a Twitter message request. 

And this is most probably a message created by a bot, which most probably distributes the same news to all the Twitter accounts that meet a condition. Like, for example, to follow Trust Wallet on Twitter.

Twitter bot example.

How to protect yourself against phishing bots

In most cases, you cannot prevent bots send you messages or trying to reach you.

But it would be best if you were highly suspicious of any message from any unknown source, especially those requiring you to take action.

If a message looks suspicious, ignore it. Do not take any action. 

In general, digital and crypto safety knowledge and good practices are your best defense against phishing bots.

Type 10: Smishing

Smishing is a type of scam that uses SMS text messages as a channel for the scammer to reach a potential victim.

For example, the picture below has been taken from a text message received by a person whose personal details were part of a personal data breach.

The scammers hope this person will click on the link and follow some instructions that will lead the victim to provide the wallet seed phrase.

And once the scammers have the wallet seed phrase, they will drain it.

Smishing scam example.

How to protect yourself against smishing

Do not trust any SMS text messages that arrive from an unknown source.

And, even if the source looks familiar, ask yourself if that source needs to reach you by SMS.

Any SMS text message from unknown sources must be mistrusted.

And never click on any link from an unknown source, even if you feel curious.

Type 11: Dusting

Dusting refers to a minimal amount of cryptocurrencies (a.k.a. dust) sent by scammers to the victim’s cryptocurrency wallets to gain knowledge about the wallet owner’s identity.

With that knowledge, the scammers plan to organize a customized phishing attack with a higher probability of success.

Dusting scam example.

How to protect yourself against dusting

Leave it there if you find unknown ‘dust’ in your wallet. Please do not touch it.

Even if you move it to another wallet, this will alert the scammers.

Phishing Frequently Asked Questions

The questions from other people are windows to knowledge that maybe we need, but we never consider we missed.

How can I know if a link (URL) is trustworthy?

You can use the Waybackmachine to find if a URL is trustworthy.

If you search for a website you know was created many years ago, you should see that snapshots have been saved over many years.

A cloned website should have a few or no snapshots.

Wayback machine.

What is the difference between phishing and smishing?

Phishing and Smishing scammers want to convince people to divulge private information, but the way to obtain that information or convince the user to take action is different. 

In a phishing attack, the scammer sends an email to the victim. 

In most cases, the phishing email contains a link the user must click for the scam to succeed.

In a Smishing attack, the scammers send SMS text messages to the victim.

The Smishing text message usually contains a link to malware or a malicious website.

What is the difference between phishing and vishing?

Phishing and vishing scammers want to trick users into divulging private information, but the way to obtain that information or convince the user to take action is different. 

In a phishing attack, the scammer sends an email to the victim. 

In most cases, the phishing email contains a link the user must click for the scam to succeed.

In a vishing attack, the scammer reaches the victim through a phone call and tries to convince the victim to take action.

What is the difference between phishing and pharming?

Phishing and pharming scammers want to trick users into divulging private information, but the way to obtain that information or convince the user to take action is different. 

In a phishing attack, the scammer sends an email to the victim. 

In most cases, the phishing email contains a link the user must click for the scam to succeed.

In a pharming attack, the scammer tricks the victim into installing malware that will intercept web requests and redirect the victim to malicious websites.  

Pharming attacks mostly use phone calls or media applications like Reddit and Twitter,… to reach the victim.

Has this post been of value to you?

If the answer is yes, and you think that it will be of value to someone else, please share it:

Thanks for sharing,

and promoting crypto safety and digital security.

Are you looking for additional information about the same or similar topics?

How to Keep Your Crypto Assets Safe

The more you know, the better you can prepare yourself to protect your digital assets from hacks, scams, and disasters.

The Safest Crypto Wallet

How To Choose The Safest Crypto Wallet For You
KNOWLEDGE

Anonymity and Data Protection

The Power of VPNs: Maximize Your Safety and Privacy
KNOWLEDGE

And the more good practices you follow, your crypto digital assets will be more secure.

Two-Factor Authentication (2FA)

Fortify Your Security With Two-Factor Authentication (2FA)
GOOD PARCTICES

Strong and Unique Passwords

The Power of Strong and Unique Passwords: Online Security
GOOD PRACTICES

Please, if you have one more minute, consider leaving us feedback

We would love to hear your opinion.

How do you rank the content of this page?

What kind of information or resources were you looking for?

Is there anything else that you would like to tell us:

– Is there any other topic of your interest that we should cover?

– Is there something we should be aware of?

Please fill out the form below or send us an email to feedback@cryptosafetyfirst.com